Upload exceeds quota for a user with unlimited quota?


#1

Steps to reproduce

  1. Enable syncing of "hidden" files.
  2. Wait for the client software to complain about insufficient space even though the server has plenty of free space and the user account has an unlimited quota.
  3. Under Activity, Not Synced tab, files named ".htaccess" are getting that quota exceeded message.

Expected behaviour

Everything syncs, or if there is a problem with .htaccess files, the error given reflects this.

Actual behaviour

Everything does not sync.

Server configuration

Operating system:
CentOS Linux release 7.4.1708 (Core)
Web server:
Apache Release 67.el7.centos.6
Database:
sqlite3 9.1.5.2
PHP version:
Version : 5.4.16
Release : 43.el7_4.1

ownCloud version: (see ownCloud admin page)
Version : 9.1.5
Release : 1.el7

Updated from an older ownCloud or fresh install:
Definitely updated -- been using ownCloud for ages.

Where did you install ownCloud from:
rpm from CentOS linux distro.

Signing status (ownCloud 9.0 and above):
?

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and put the link here.

"No errors have been found."

The content of config/config.php:
"Access denied."

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well-sanitized form.
The download json file is empty.
or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

{
"system": {
"log_type": "syslog",
"datadirectory": "\/var\/lib\/owncloud\/data",
"updatechecker": true,
"check_for_working_htaccess": false,
"asset-pipeline.enabled": false,
"assetdirectory": "\/var\/lib\/owncloud",
"preview_libreoffice_path": "\/usr\/bin\/libreoffice",
"apps_paths": [
{
"path": "\/usr\/share\/owncloud\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/lib\/owncloud\/apps",
"url": "\/apps-appstore",
"writable": true
}
],
"instanceid": "REMOVED",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
],
"dbtype": "sqlite3",
"version": "9.1.5.2",
"logtimezone": "UTC",
"installed": true,
"theme": "",
"loglevel": 2,
"maintenance": false,
"integrity.check.disabled": false
}
}

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:
- activity: 2.3.2
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.2.7
- encryption: 1.3.0
- federatedfilesharing: 0.3.0
- federation: 0.1.0
- files: 1.5.1
- files_pdfviewer: 0.8.1
- files_sharing: 0.10.0
- files_texteditor: 2.1
- files_trashbin: 0.9.0
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 15.0.0
- notifications: 0.3.0
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.1
Disabled:
- external
- files_antivirus
- files_external
- user_external
- user_ldap

Are you using external storage, if yes which one: local/smb/sftp/...
No
Are you using encryption: yes/no
Yes
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
No

Client configuration

Browser:
Google Chrome
Operating system:
Windows 10

Logs

Web server error log

Relevant cut from ssl_access_log:
1.1.1.1 - User [19/Apr/2018:21:26:40 -0700] "PUT /owncloud/remote.php/webdav/Github/ZoneMinder/web/api/.htaccess HTTP/1.1" 507 192
1.1.1.1 - User [19/Apr/2018:21:26:40 -0700] "PUT /owncloud/remote.php/webdav/Github/ZoneMinder/web/api/app/webroot/.htaccess HTTP/1.1" 507 192
1.1.1.1 - User [19/Apr/2018:21:26:40 -0700] "PUT /owncloud/remote.php/webdav/Github/ZoneMinder/web/api/lib/Cake/Console/Templates/skel/webroot/.htaccess HTTP/1.1" 507 192

ownCloud log (data/owncloud.log)

Empty

Browser log

Not relevant


#2

I think / IIRC .htaccess files are blocked by default from being uploaded. From what i know allowing to upload .htaccess files could be a security issue for your instance.


#3

Is this because of the way the owncloud developers decided to store the files on the local server? Is there a way to turn on name mangling? Otherwise, is there a setting I can enble/disable in Apache (Assuming that is what is blocking this)? Since I'm using encryption, I don't see how there could possibly be any security risk here because Apache shouldn't be able to parse the contents of the files.


#4

From what i know a user allowed to upload such a file could be able to reconfigure your webserver to e.g. make all files within the data dir of all users available to the public or similar.

Maybe you can find some more details on this at the bugtrackers on github?


#5

Right, which is why I asked if there was a "name mangling" setting -- something that would rename the files that are stored locally so that this conflict cannot happen.

I also mentioned that the files are encrypted -- so even if there was normally the potential to reconfigure the web server, it would be impossible in my case because the encrypted contents of the files would look like garbage to the web server.

Would using different web server software be a better solution? Nginx? Something that doesn't recognize .htaccess files? (Assuming that Nginx doesn't recognize .htaccess files). I'm asking this to the forum, not to you specifically tom42.


#6

If I am not mistaken we block .htaccess from beeing uploaded today. Same for any .part files.


#7

I've just have searched the issue tracker for you as previously advised and found the following discussion. This seems to be related and might contain some info you're looking for and how to remove the limitation from the ownCloud code on your own risk: https://github.com/owncloud/core/issues/30136

I think when allowing to upload .htaccess files measures needs to be taken on webserver level so uploaded .htaccess files doesn't pose a risk for your ownCloud instance. The use of the server side encryption might mitigate this for now but could pose a risk if you ever consider to disable it again in the future without additional measures.


#8

tom42,

Thanks for doing the research on this, and it's good to know they're aware of the incorrectly reported error, however I'm more interested in a workaround to this problem. I don't want another error message, even if correct, I want a way to store these "reserved" filenamed files.

I try to keep my source code in owncloud for obvious reasons -- this sometimes means forks from github. In this circumstance, these .htaccess files need to be there -- since it is a web based program that needs them.

What I was hoping for, but what I'm concluding doesn't exist, is a way to de-blacklist files like these and/or configure owncloud to use its own naming for the files stored in local storage so that there cannot be a conflict with the host.

At least now I know there's a file that specifically blacklists these files -- I can maybe ask for a feature request -- I assume through github and not here?


#9

In the referenced issue i had seen the following link https://github.com/owncloud/core/blob/v10.0.4/apps/files/lib/Capabilities.php#L62 which points to a "blacklisted_files" system value. After doing the following search:

https://doc.owncloud.org/server/latest/admin_manual/search.html?q=blacklisted_files

i had found the following documentation:

https://doc.owncloud.org/server/latest/admin_manual/configuration/server/excluded_blacklisted_files.html

(which is also mentioning the .htaccess). Maybe you can remove this limitation somehow by setting an empty blacklisted_files array or one with some non-existing or random file name?